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Abstract 

This paper focuses on the inference of modes for which a logic program is guaranteed 
to terminate. This generahses traditional termination analysis where an analyser tries 
to verify termination for a specified mode. Our contribution is a methodology in which 
components of traditional termination analysis are combined with backwards analysis to 
obtain an analyser for termination inference. We identify a condition on the components 
of the analyser which guarantees that termination inference will infer all modes which can 
be checked to terminate. The application of this methodology to enhance a traditional 
termination analyser to perform also termination inference is demonstrated. 

1 Introduction 

This paper focuses on the inference of modes for which a logic program is guar- 
anteed to terminate. This generalises traditional termination analysis where an 
analyser tries to verify termination for a specified mode. For example, for the clas- 
sic append/S relation, a standard analyser will determine that a query of the form 
append{x,y, z) with x bound to a closed list terminates and likewise for the query 
in which z is bound to a closed list. In contrast, termination inference provides the 
result append{x, y, z) ^ xV z with the interpretation that the query append{x, y, z) 
terminates if a; or z are bound to closed lists. We refer to the first type of analysis 
as performing termination checking and to the second as termination inference. We 
consider universal termination using Prolog's leftmost selection rule and we assume 
that unifications do not violate the occurs check. 

Several analysers for termination checking are described in the literature. We note 
the TermiLog system described in ( |Lindenstraus s and Sagiv 19971 and the system 
based on the binary clause semantics described in (Codish and Taboch 1999|l . Ter- 
mination inference is considered previously by Mesnard and coauthors in l|Mesnard 19961 
IMesnard and Neumerkel 20nil|Mesnard and Ruggieri 2001') ). Here, we make the ob- 
servation that the missing link which relates termination checking and termination 
inference is backwards analysis. Backwards analysis is concerned with the following 
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type of question: Given a program and an assertion at a given program point, what 
are the weakest requirements on the inputs to the program which guarantee that 
the assertion wiU hold whenever execution reaches that point. 

In a recent paper, King and Lu ( |King and Lu 2002| ) describe a framework for 
backwards analysis for logic programs in the context of abstract interpretation. In 
their approach, the underlying abstract domain is required to be condensing or 
equivalently, a complete Heyting algebra. This property ensures the existence of a 
weakest requirement on calls to the program which guarantees that the assertions 
will hold. 

To demonstrate this link between termination checking and termination infer- 
ence, we apply the framework for backwards analysis described by King and Lu 
( [King and Lu 2002| ) to enhance the termination (checking) analyser described in 
l|Codish and Taboch 19991 to perform also termination inference. We use the con- 
densing domain Pes, of positive Boolean formula, to express the conditions on the 
instantiation of arguments which guarantee the termination of the program. 

The use of a standard framework for backwards analysis provides a formal justifi- 
cation for termination inference and leads to a simple and efficient implementation 
similar in power to that described in l|Mesnard and Neumerkel 200111 . It also fa- 
cilitates a formal comparison of termination checking and inference. In particular, 
we provide a condition on the components of the analyser which guarantee that 
termination inference will infer all modes which termination checking can prove to 
be terminating. 

In the rest of the paper, Section|21provides some background and a motivating ex- 
ample. Sectioninireviews the idea of backwards analysis. Section^illustrates how to 
combine termination analysis with backwards analysis in order to obtain termina- 
tion inference and investigates their relative precision. Section|Slpresents an experi- 
mental evaluation. Finally, Sectional reviews related work and Sectional concludes. 
A preliminary version of this paper appeared as Ref. IjGenaim and (Modish 2f)(nll . 
Our implementation IjCodish et al. 2002)l can be accessed on the web. It supports 
termination checking as described in IjCodish and Taboch IQQQ")! and termination 
inference as described in this paper. 



2 Preliminaries and Motivating Example 

We assume a familiarity with the standard definitions for logic programs ( |Lloyd 1987| 
Apt 1990j) as well as with the basics of abstract interpretation l|Cousot and Cousot 19771 
Cousot and Cousot 1992|l . This section describes the standard program analyses 
upon which we build in the rest of the paper. For notation, in brief: variables in 
logic programs are denoted as in Prolog (using the upper case) while in relations. 
Boolean formula, and other mathematical context we use the lower case. We let 
X denote a tuple of distinct variables xi, . . . , a;„. To highlight a specific point in a 
program we use labels of the form (a). 

Size relations and instantiation dependencies rest at the heart of termination 
analysis: size information to infer that some measure on program states decreases as 
computation progresses; and instantiation information, to infer that the underlying 
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domain is well founded. Consider the recursive clause of the append/S relation: 
append{[X\Xs],Ys, [X\Zs]) <— append{Xs,Ys, Zs). It does not suffice to observe 
that the size of the first and third arguments decrease in the recursive call. To 
guarantee termination one must also ensure that at least one of these arguments is 
sufficiently instantiated in order to argue that this recursion can be activated only 
a finite number of times. 

Instantiation information is traditionally obtained through abstract interpreta- 
tion over the domain Pos which consists of the positive Boolean functions augmented 
with a bottom element (representing the formula false). The elements of the do- 
main are ordered by implication and represent equivalence classes of propositional 
formula. This domain is usually associated with its application to infer groundness 
dependencies where a formula of the form a; A — > z) is interpreted to describe 
a program state in which x is definitely bound to a ground term and there exists 
an instantiation dependency such that whenever y becomes bound to a ground 
term then so does z. Similar analyses can be applied to infer dependencies with 
respect to other notions of instantiation. Boolean functions are used to describe the 
groundness dependencies in the success set of a program P as well as in the set 
of calls which arise in the computations for an initial call pattern G. We denote 
these approximations by |-P]pos and l-P'^Jpo"'' respectively. The elements are of the 
form p{x) ^ if where p/n is a predicate defined in P and is a positive Boolean 
fmiction on x. For details on Pos see ( [Marriott and S0ndergaard 1993| ). 

Size relations express linear information about the sizes of terms (with respect to a 
given norm function) \De Schreye and Verschaetse 19951 IKarr 1976;) . For example, 
the relation x < z f\ y < z describes a program state in which the sizes of the terms 
associated with x and y are less or equal to the size of the term associated with z. 
Similarly, a relation of the form z = x-\-y describes a state in which the sum of the 
sizes of the terms associated with x and y is equal to the size of the term associated 
with z. Here the variables represent sizes and hence are implicitly constrained to be 
non-negative. Several methods for inferring size relations are described in the litera- 
ture dBenoy and King 1996||Brodsky and Sagiv 1989|lCousot and Halbwachs 19781 
Schreye and Verschaetse 1995| ). They differ primarily in their approach to ob- 
taining a finite analysis as the abstract domain of size relations contains infinite 
chains. For a survey on termination analysis of logic programs see | |De Schreye and Decorte 1994| 

Throughout this paper we will use the so-called term-size norm for size relations 
for which the corresponding notion of instantiation is groundness. We base our pre- 
sentation on the termination (checking) analyser described in l|Codish and Taboch 1999jl 
although we could use as well almost any of the alternatives described in the liter- 
ature. This analyser is based on a bottom-up Tp like semantics which makes loops 
observable in the form of binary clauses. This provides a convenient starting point 
for termination inference as derived in this paper. We denote the abstraction of 
this semantics for a program P over the domain of size relations as |-P]si"e- Each 
element of |-P]si"e represents a loop and is of the form p{x) ^ TT,p{y) where tt is a 
conjunction of linear constraints. In the examples these are represented as lists of 
constraints. 

We proceed to demonstrate our approach by example in four steps: 
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The first step: Consider the append/ 3 relation. 

append ( [X I Xs] , Ys , [X I Zs] ) : - append (Xs , Ys , Zs) . 
append ( [] ,Ys,Ys) . 

Termination checking reports a single abstract binary clause: 
append ( A, B,C) :- [D<A, F<C, B=E] , append (D, E, F) . 

indicating that subsequent calls append{A, B, C) and append{D, E, F) in a com- 
putation, involve a decrease in size for the first and third arguments (D < A and 
F < C) and maintain the size of the second argument {B = E). To guarantee that 
this loop may be traversed only a finite number of times, it is sufficient to require 
that cither or C be sufficiently instantiated. This can be expressed as a Boolean 
condition: append{x, y, z) <— {xW z). 

Backwards analysis is now applied to infer the weakest conditions on the pro- 
gram's predicates which guarantee this condition. For this example the inference 
is complete and we have derived the result: appendix, y, z) ^ x\/ z interpreted as 
specifying that append{x, y, z) terminates if a; or 2; are bound to ground terms. 

The second step: Consider the use of append/ 3 to define list membership. Adding 
the following clause to the program introduces no additional loops: 

member(X,Xs) :- append(A, [X|B] ,Xs) . 

Backwards analysis should specify the weakest condition on member{X, Xs) which 
guarantees the termination condition A V Xs for append{A, [X\B], Xs). This is 
obtained through projection which for backwards analysis is defined in terms of 
universal quantification as V^.(A V Xs). The resulting Boolean precondition is: 
member{x, y) ^ y indicating that member{x, y) terminates if y is ground. 

The third step: We now add to the program a definition for the subset/2 relation: 

subset ( [XI Xs] ,Ys) :- member (X,Ys) , subset (Xs, Ys) . 

subset ( [] ,Ys) . 

Termination checking reports an additional loop: 
subset(A,B) :- [B=D,C<A] , subset(C,D). 

which will be traversed a finite number of times if A is sufficiently instantiated. For 
the first clause to terminate both loops must terminate: for append/3 in the call 
to member{X, Ys) and for subset/2 in the call to subset{Xs, Ys). So both Xs and 
Ys must be instantiated which implies that both arguments of subset/ 2 should be 
ground inputs. Namely, subset{x, y) ^ x Ay. 

The fourth step: This step demonstrates that the precondition on a call in a clause 
body may be (partially) satisfied by answers to calls which precede it. Consider 
adding to the program a clause: 

s(X,Y,Z) :- (a) appendCX, Y,T) , ® subset(T,Z). 
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which defines a relation s{x, y, z) such that the set z contains the union of sets x 
and y. The preconditions for termination derived in the previous steps specify the 
conditions xWt and t/\z at points (a) and (B) respectively. In addition, from a standard 
groundness analysis we know that on success append{x, y, t) satisfies {xAy) ^ t. So, 
instead of imposing on the clause head both conditions from the calls in its body, 
as we did in the previous step, we may weaken the second condition in view of the 
results from the first call. Namely {{{x A y) ^ t) ^ t A z). Now the termination 
condition inferred for s{x, y, z) is V(.((a; V i) A (((x Ay) ^ t) ^ t A z)) = x Ay A z. 

In general, the steps illustrated above, though sufficient for these simple examples, 
do need to be applied in iteration. In the next section we describe more formally 
the steps required for backwards analysis. 

3 Backward Analysis 

This section presents an abstract interpretation for backwards analysis using the 
domain Pes distilled from the general presentation given in ( |King and Lu 2002) ). 
Clauses are assumed to be normalised and contain assertions so that they are of the 
form h{x) <— . . . , 6„ where ^ is a Pos formula, interpreted as an instantiation 

condition that must hold when the clause is invoked, and bi is either an atom, or a 
unification operation. 

The analysis associates preconditions, specified in Pos, with the predicates of the 
program. Initialised to true (the top element in Pos) these preconditions become 
more restrictive (move down in Pos) through iteration until they stabilise. At each 
iteration, clauses are processed from right to left using the current approximations 
for preconditions on the calls together with the results of a standard groundness 
analysis to infer new approximations for these preconditions. 

For the basic step, consider a clause of the form: p <— . . . (a), q,(G) ... and assume 
that the current approximation for the precondition for a predicate q is ipq, the 
success of q is approximated by ipq, and that processing the clause from right to left 
has already propagated a condition Cf, at the point (B). Then, to insure that e?, will 
hold after the success of q, it suffices to require at (a) the conjunction of ipq with 
the weakest condition a such that {a A 4'q) c-b- This a is precisely the pseudo- 
complement (jGiacobazzi and Scozzari 1998|) of V'g with respect to ef,, obtained as 
ipq ^ ^b- So propagating one step to the left gives the condition ea — (pqA{iljq et). 

Now consider a clause h{x) <— /i o &i, . . . , 6„ with an assertion fi G Pos. Assume 
that the current approximation for the precondition of h{x) is ip and let ipi and (pi 
denote respectively the approximation of the success set of bi (obtained through 
standard groundness analysis) and the current precondition for 6^ (1 < i < n). 
Backwards analysis infers a new approximation Lp' of the precondition for h{x) by 
consecutive application of the basic step described above. We start with e„+i — true 
and through n steps (with i going from n to 1) compute a condition ei = (piA {tl^i — > 
Ci+i) which should hold just before the call to hi. After computing ei we take 
eo = ^1 A ei and project eo on the variables x of the head by means of universal 
quantification. The new condition is finally obtained through conjunction with the 
previous condition ip. Namely, ip' — ip A Vx. cq. 
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There is one subtlety in that Pos is not closed under universal quantification. 
To be precise, elimination of x from a G Pos is defined as the largest element in 
Pos which implies Vjj.cr. When Va;.cr is not positive then the projection gives false 
which is the bottom element in Pos. 



Example 3.1 
Consider the clause 

subset(A,B) :- @ A o 
@ member (X,Ys) , t 



i) A= [X I Xs] , @ B=Ys , 
subset (Xs ,Ys) @. 



where the assertion A states that the first argument must be ground and the success 
patterns (derived by a standard groundness analysis) and the current approxima- 
tion of the preconditions are (respectively): 



member{x,y) ^ y 
subset{x, y) ^ X 



member(x, y) ^ {y ^ x) 
subset{x, y) ^ (y x) 

Starting from 65 = true, the conditions 64, . . . , ei are obtained by substituting 
in ei = (fi A {"tpi —^ e^+i) as illustrated in the following table: 



i 




tpi 


4 


Xs 


Ys - 


3 


Ys 


X 


2 


true 


B ^ 


1 


true 


A^ 



Xs 
Xs 
Ys 

{X A Xs) 



(A 



true 
YsA{X ^ Xs) 
{B ^ Ys) (Ys A{X Xs)) 
{X A Xs)) -.{B^ Ys) {Ys A {X 



Xs)) 



We now obtain e^ as A A ei and projecting eo to the variables in the head gives 
Vjcs,Fs,x-(eo) = A A B. Which leads to the new precondition subset{x, y) ^ x Ay. 



In ( |King and Lu 2002) ), the authors formalise backwards analysis as the greatest 
fixed point of an operator over Pos. In our implementation (Codisl Tet al. 2002|l 
backwards analysis is realised as a simple Prolog interpreter which manipulates 
Boolean formula using a package for binary decision diagrams written by Armstrong 
and Schachte (used in ( [Armstrong et al. 1998| ) and described in l|Schachte 1999|l ). 



4 From termination checking to termination Inference 

Termination checking aims to determine if a program is guaranteed to terminate 
for a specified mode. Termination inference aims to infer a set of modes for which 
the program is guaranteed to terminate. To be precise, we introduce the following 
definition and terminology. 

Definition 4^.1 [Mode) 

A mode is a tuple of the form p{mi, . . . , rUn) where rui {1 < i < n) is either b 
("bound") or f ("free"). We can view a mode as a call pattern p{x) ^ ip where 
if = A { Xi \ Xi = h A {\ < i < n) }. 
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Given a norm function, we say that a program terminates for a mode p{mi , . . . , rUn) 
if it terminates for all initial queries p(ti, . . . , t„) such that for 1 < i < n, nii — h 
implies that ti is rigid with respect to the given norm. 

This section describes how an analyser for termination inference can be derived 
from an analyser for termination checking together with a component for backwards 
analysis. We first describe in Section IHI the activities performed by an analyser for 
termination checking. Then, in Section IT!^ we explain how some of these activities 
are combined with a backwards analysis component to obtain an analyser for ter- 
mination inference. Finally, in Sect ion [4.31 we compare the precision of termination 
checking and inference. 

4-1 Termination Checking 

Termination checking involves two activities: first, the loops in the program are 
identified and characterised with respect to size information; and second, given the 
mode of an initial query, it is determined if for each call pattern in a computation 
and for each loop, some measure on the sizes of some of the sufficiently instantiated 
arguments in the call decrease as the loop progresses. 

In the analyser described in IjCodish and Taboch 1999|l these activities are per- 
formed in two phases. The first (goal independent) phase computes a set of abstract 
binary clauses l-Plg^^e which describe, in terms of size information, the loops in the 
program P. The second (goal dependent) phase determines a set of call patterns 
I^*^lpos* for a initial mode G and checks that for each call in |P'^]po"'' and each 
corresponding loop in |P]^™e there exists a suitable well-founded decreasing mea- 
sure. The next definitions provide the notions required to state the theorem which 
follows (reformulating Proposition 6.5 in l|Codish and Taboch IQQQ")! ) to provide a 
sufficient termination (checking) condition. 

Definition (Decreasing arguments set) 

A set of arguments / = {xi-^, . . . , Xi,.} C x is decreasing for an abstract binary 
clause /3 = p{x) ^ Tr,p{y) if there exist coefficients ai,...,afc such that tt \= 
aiXii + ■ ■ ■ + flfcXij. > fliyij -I- • • ■ -I- OkUi^ ■ The set of all decreasing sets of arguments 
for (3 is denoted by D{P). 

Note that by definition X'(/3) is closed under extension. Namely, if / G D{(3) and 
I' ^ I then /' G D{(3) (simply map coefficients for the arguments in /' \ / to 0). 

Definition 4-3 {Instantiated arguments set) 

We say that a set of arguments / C x is instantiated in a call pattern k = p{x) <— tp 
if if \= A { x\ X & I }. We denote by I^p the set of all arguments instantiated in k. 

Theorem 4-1 ( Termination Condition) 

Let P be a logic program and G an initial call pattern. If for each call pattern 
K = p{x) ^ If ^ \P'^Ypos^ a-nd corresponding binary clause f} = p{x) ^ TT,p{y) G 
I^lsize there exists a set of arguments I C x which is instantiated in k and decreasing 
for /3 then P terminates for G. 
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Example 4-1 

The analysis of the append/3 relation (detailed in Section for the initial mode 
G = append(b, b, f) gives: 

IPfsT.e = { append(A,B,C) ^ [D < A, F < C, B = E], append(D, E, F) } 

IP%'JI' = { append(A, B, C) ^ A A B } 

The termination condition holds for this single binary clause and call pattern with 
/ = {A} as well as with / = {A, B}. 

We now focus in on that component of the termination checker that checks if the 
termination condition is satisfied for a call pattern p{x) <— ip and a corresponding 
binary clause /3. We denote by CHK(/,/3) the decision procedure which is at the 
heart of this component and determines if some subset of / is decreasing for (3. 
Since any decreasing and instantiated enough set of arguments is a subset of 7,^, 
the analyser will typically invoke CHK(/;p, /3). 

For the correctness of termination checking, CHK(/, /?) must be sound but need 
not be complete. Namely if CHK(/, /3) reports "yes" then I must be a decreasing set 
of arguments for f3. The termination analyser described in l)Codish and Taboch 1999ll 
applies a simple (and fast) decision procedure which is not complete but works well 
in practise. For a call p{x) <— (p with instantiated variables I^p — {xi-^ , . . . ,Xi^} and 
a matching binary clause p{x) <— Tr,p{y) the system checks if tt |= + • • • + y,;^ > 
+ • • • + Xi^, (recall that all of the variables are non-negative). If not, then it 
reports "yes" because it must be the case that for some I < j < k, yi. < Xi- and 
hence the singleton {xi-} is a decreasing argument set. 

A complete procedure for CHK (denoted SVG) is described in IjSohn and van Gelder 199J)l 
and discussed also in IjMesnard and Neumerkel 200 There the authors observe 
that checking the satisfiability of the non-linear constraint system ttABoi, . . . , afc.(aiXij + 
• • • + akXi^ > aij/ij + • • • + akVif.), for coefficients oi, . . . , Ofc, is equivalent to check- 
ing that of the dual constraint system which is linear. See the references above for 
details. The TerminWeb analyser IjCodish et al. 2002|i) offers the optional use of this 
procedure. 

4-2 Termination Inference 

Our approach to termination inference proceeds as follows: (1) The first phase of 
the termination checker is applied to approximate the loops in the program as bi- 
nary clauses with size information (|-P]size); (2) Each loop in l-Pj^^e is examined to 
extract an initial (Boolean) termination assertion on the instantiation of arguments 
of the corresponding predicate which guarantee that the loop can be executed only 
a finite number of times; and (3) Backwards analysis is applied to infer the weak- 
est constraints on the instantiation of the initial queries to guarantee that these 
assertions will be satisfied by all calls. 

Intuitively, an initial termination assertion for a predicate p{x) is a Boolean 
formula constructed so as to guarantee that each binary clause has at least one set 
of arguments which is instantiated enough and decreasing. To this end, the best we 
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can do for a given binary clause (3 is to require the instantiation of the variables in 
(at least) one of of the decreasing sets of arguments in T>{f3) (a disjunction). This 
gives the most general initial termination assertion for f3. For a predicate in the 
program, the assertions for all of its binary clauses must hold (a conjunction). In 
practise, an analyser for termination inference involves a component INF(/3) which 
approximates 'D^P) (from below) for an abstract binary clause /3. For the correctness 
of termination inference, INF(/3) must be sound but need not be complete. Namely 
it may return a subset of X'(/3). Of course if it is complete (i.e. computes 'D{(3)) 
then the inference will be more precise. Given such a procedure INF(/3), the initial 
termination assertions are specified as follows: 

Definition 4-4 (Initial Termination Assertion) 

Let P be a logic program. The initial termination assertions for a binary clause 
P G I^'lsize: ^^'^ ^ predicate p/n G P are given as: 



where B C |P]^™e is the set of binary clauses for p{x) in iPj^^e- 

Note that we can assume without loss of generality that INF is closed under 
extension as the assertions /i(/3) are invariant to the addition of extending sets of 
arguments. 

Example 4-^ 

Consider as P the split /i relation (from merge sort): 
split([], [],[]). 

splitC [XlXs] , [XI Ys] ,Zs) :- split (Xs , Zs ,Ys) . 

The binary clauses obtained by the analyser of l|Codish and Taboch 1999jl are: 

/3i = split{xi,X2,x^) ^ [yi < xi.yz < X2,xz = y2], split[yi,y2,y^). 
/32 = split{xi,X2,x:i) ^ [yi < xi,y2 < X2,yz < x^], split{yi,y2,y3)- 
/Jg = split{xi,X2,X3) ^ [yi < xi,y3 < X2,y2 < X3], split(yi,y2,yi,). 

Here, /3i represents the size information corresponding to passing one time through 
the loop defined by the second clause; [32 the information corresponding to any even 
number of times through the loop; and /?3 any odd number of times (greater than 



Let S] denote the closure of a set S under extension with respect to the variables 
of interest. Assuming that INF(/3i) = INF(/33) = {{xi}, {2:2, x^}}] (note that yi < xi 
and y2 + V3 <X2+ x^) and INF(/32) = {{xi}, {2:2}, {x^}}] (note that yi < Xi,y2 < 
X2, ys < X3), we have tiiPi) = tiiPs) = V (2^2 Axg); and /x(/32) = xi Vx2 Vxg. The 
assertion for spZit/3 is: ^j,{split{xi,X2,X3)) = /^(/3i) A/Lt(/32) A/x(/33) = xi V (x2 Axg). 
Backwards analysis starting from this assertion infers the termination condition 
Xi V (a;2 A X3) for split{xi, X2, X3). 

The result of backwards analysis is a positive Boolean formula for each predicate 
describing the conditions under which a corresponding initial query terminates. 
The following definition specifies how the initial modes for terminating queries are 
derived from this formula. 





l3eB 
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Definition 4-5 (Terminating mode) 

Let P be a logic program. We say that p(mi , . . . , r7i„) is terminating for p{xi, . . . ,x„) 
defined in P if the conjunction A{xi \ nii ~ b} implies the condition inferred by 
termination inference for p{x). 

Example 4-3 

Consider again the split/3 relation given in Example 14.21 for which we inferred 
^{split{xi,X2,X3)) = xiV {x2 Axs). Both split{b, f, f) and split{f ,b,b) are termi- 
nating modes because xi and {x2 A a;3) imply xi V {x2 A x^). 

The correctness of the method described follows from the results of IjCodish and Taboch 1999)l 
and dKing and Lu 2002D . 

Theorem 4. 2 

Let INF be a sound procedure, P a logic program and pifh) a terminating mode 
for p{x) inferred by termination inference. Then P terminates for p{rh). 

Proof 

Let G — p{t) be an initial query described by the inferred terminating mode p{fri). 
The correctness of backwards analysis garantees that when executing G, any call 
to a predicate q/n satisfies the assertions inferred for q/n. From the specification 
of the initial termination assertion fPefinition I4.4|l we know that fi{q{x)) \= n{l3) 
for each /3 = q{x) <— tt, q{y) G |P]si"e- Hence, at least one set of arguments for /3 is 
decreasing and sufficiently instantiated. This means that the termination condition 
of Theorem 14. II holds. □ 

In the analyzer for termination inference implemented in the context of this work 
IjCodish et al. 2002jl we adopt for INF a fast though incomplete procedure. Given a 
binary clause (3 = p{x) <— TT,p{y) the procedure works as follows where we denote 
the arguments of p{x) as Z = {1, . . . ,n}: First, it computes the set 2' = {i \ tt 
Xi > Hi} which includes all argument positions that are decreasing. Each singleton 
subset of X' is reported by the procedure to be a decreasing set of arguments; 
Second, it checks if the sum of the non-decreasing arguments is decreasing. Namely, 
if 

iex\x' iei\x' 
If so, then it reports that X \ X' is a decreasing set of arguments. 

Performing step 2 does appear to make a difference. This simplistic approach 
works well in practice for the standard benchmarks and guarantees scalability of 
the analysis. For example consider the binary clause f3i from Example 14.21 The 
only decreasing singleton is {xi} and the set of all non-decreasing arguments 
{ X2,X3 } is also decreasing, this enables the detection of the terminating mode 
split{xi,X2, X3) <— X2 /\ X3. 

In l|Mesnard and Neumerkel 2001|l . the authors adopt a complete algorithm for 
INF which they call Extended SVG. Similar to SVG the authors consider the dual 
(linear) constraint system of the form tt A {aiXki -f • ■ • -I- OkXki > aiVki + ■ • • -I- 
dkUki)- But instead of checking for satisfiability, they look for the smallest subsets 
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{ a;fei , • • • a^fci } C a; for which the constraint system is satisfiable. This is done by 

projecting the system tt A {aiXi H h a„a;„ > aiyi H h a„?/„) on the variables 

ai, . . . , o„ and systematically trying to bind some of the a^'s to zero. In general this 
can require an exponential number of steps. However, the author's experimentation 
indicates that the algorithm works well in practise. See the reference above for 
details. 

4-3 Precision of Termination Checking vs. Inference 

To compare the precision of an analyser for termination checking with one for 
termination inference the relevant question is: Is there some mode which can be 
checked to be terminating which is not inferred to be terminating (or vice versa)? 
In particular we would like to compare the precision of our own two analysers for 
checking and inferring termination as well as with the cTI analyser for termination 
inference. In the next section we provide an experimental comparison for both 
efficiency and precision. Here we are concerned with a theoretical comparison. 

To keep all else the same, we will assume that the analysers being compared 
obtain the same approximations of a program's loops ([f'lsi"^ '^^^ terminology) 
and use the Pas domain to approximate instantiation information. For our two 
analysers these assumptions are of course true as we use the same component to 
compute [P]^'>,. 

Given that all other parameters in the analysers are the same, it is the relation 
between the precision of the specific choices for the procedures CHK and INF which 
determine the relevant precision of termination checking and termination inference. 
The comparison for a given choice of CHK and INF is done by considering for each 
abstract binary clause (3 the sets INF(/3) and | /| CHK(/, /?) = "yes" }. If these 
sets are equal for all /3 then we say that CHK and INF are of the same accuracy. In 
particular if both CHK and INF are complete then they are of the same accuracy, 
As we have already noted, cTI employs an INF procedure which is complete and 
TerminWeb applies CHK and INF procedures which are sound but not complete. 

The following theorem states that if CHK and INF are of the same accuracy then 
termination checking and inference report equivalent results. 

Theorem 4-3 

Let Ate and Au be analysers for checking and inferring termination based on proce- 
dures CHK and INF of the same accuracy and assume that these analysers approx- 
imate loops and instantiation information in the same way. Assume also that An 
is based on backwards analysis. Then, Ate reports that P terminates for a mode 
p{m) if and only if p(m) is inferred by Ati- 

Proof 

Let us first make two simple observations concerning backwards analysis: 

- (BAi): Let P be a logic program, G = q{rh) an initial call pattern, = 
A { cci I irii = b } and P' a logic program with assertions defined by intro- 
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ducing to the clauses in P the call patterns from |-P'~^]pos ^ as initial assertions: 



Then, if q{x) ^ ipq is the result of backwards analysis of P' for q{x), then 



- (BA2): Let Pi be a logic program with assertions and let q{x) <— (pi be the 
result of backwards analysis of Pi for q/n. Let P2 be a program obtained 
by replacing an assertion /ii in Pi by an assertion ^2 such that fii |= fi2 and 
let q{x) <— ip2 be the result of backwards analysis of P2 for q/n. Then tpi |= (^2- 

Let G = q(rh) be a mode for which Ate proves termination, we show that G is 
inferred by Au ■ Denote tpq — A { Xi \ mi = b } and let p{x) G IP*^]™""' and 
(3 = p{x) ^ 7r,p(y) £ |Plsi"e- Consider the set of variables instantiated in (p. 
CHK(/^,/?) answers "yes" because Ate proves termination and by the assumption 
that CHK and INF are of the same accuracy, G \Nf{/3). Hence, by Definition l4.4l 
Alip \= fi{p{x)). By Definition l4.3l (i7 ^ Al^, so we have ip \= ^{p{x)) (*). Let q{x) <— 
(fig be the result of backwards analysis for P with call patterns from |P'^]pos'' as 
initial assertions. By observation (BAi) q{x) ^ ipq is the call pattern from q/n and 
hence ipq ^ pq (because G is one of the call patterns for q/n). 

Now by (*), the termination assertions {fi{p{x))) are more general than the call 
patterns {(p) and hence by observation (BA2) tpq implies the result of backwards 
analysis with termination assertions replacing call patterns. In particular this is the 
case for q{x) and so G is inferred by Ati to be a terminating mode for P. 

Let G be a terminating mode inferred by Ati, we show that Ate proves ter- 
mination of G. For this we show that for any p{x) ^ ip € IP^Jpo^'s^ and /3 = 
p{x) <— T^,p{y) & IPTsTze there exists a decreasing set of arguments which is also 
instantiated enough: From the correctness of backwards analysis we know that 
ip \= ii,{p{x)) \= iJi{(3), and since n[l3) was constructed in order to guarantee that 
at least one decreasing arguments set for j3 is instantiated enough, so there exists 
/' e INF(/3) such that /' C I^i^p) C I^. Since INF(/3) can be assumed without loss 
of generality to be extensive G INF(/3) and according to the accuracy require- 
ments CHK(/^, (3) answers "yes" . So the termination condition holds and Ate proves 
termination for G. □ 

In the case of our analysers, using the fast versions of CHK and INF, checking is 
always as precise as inference. This follows as a simple result from the definitions 
of CHK and INF. However, inference may be weaker than checking. The benchmark 
program rev_interleave in Tabic ^ demonstrates this case. Enhancing our anal- 
ysers with SVG and Extended SVG for CHK and INF respectively, would result in 
analysers which infer and check the same sets of modes. This because both SVG and 
Extended SVG are complete and hence of the same accuracy. Note that we cannot 
make such a comparison for termination inference as implemented in cTI because 
it is based on a different technique for inferring termination conditions. While this 
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technique seems equivalent to backwards analysis, to make a formal comparison we 
would need to prove that it supports the two claims (BAi) and (BA2). 

5 Experimental Results 

This section describes an evaluation comparing our termination inference and termination 
checking analysers. We also compare our analyser for termination inference with the cTI 
( Mcsnard and Ncumcrkcl 2001 S analyzer. For the experiments described, our analyser runs 
SICStus 3.7.1 on a Pentium III 500MHZ machine with 128MB RAM under Linux RedHat 
7.1 (kernel 2.4.2-2). The cTI analyser runs SICStus 3.8. 4 on an Athlon 750MHz machin e 
with 256MB RAM. The timings for cTI are taken from IjMesnard and Neumerkel 2001^ . 

Table indicates analysis times in seconds for three blocks of programs. The first two 
blocks correspond respectively to the programs from Tables 2 and 5 in ( Mcsnard and Neu merkel 200l| . 
The third block contains two programs included to make a point detailed below. The 
analysis parameters are the same as those reported in lIMesnard and Neumerkel 200 H 
— term-size norm with widening applied every third iteration, except for the programs 
marked by a ★ for which the list-length norm is applied and widening is performed every 
fourth iteration. The columns in the table indicate the cost for: 

- Joint: The activities common to termination checking and inference: preprocessing 
(reading, abstraction, computing sees, printing results), size analysis (to approxi- 
mate binary clauses) and groundness analysis (to approximate answers). Note that 
in TerminWeb, the checking component uses groundness analysis as described in 
IjCodish and Demoen 1995ll while the inference component uses a faster BDD based 
analyser. For the sake of comparison we consider the timing of the BDD based 
analyser for both checking and inference. 

- Inf: The activities specific to termination inference: computing initial instantiation 
assertions as specified in Definition 14.41 (about 90%) and performing backwards 
analysis (about 10%). 

- Check: The additional activities specific to termination checking for a single one 
of the top-level modes inferred to terminate. 

- Total Inf: The total analysis time for inference using our analyser (Joint -|- Inf). 

- cTI: The total analysis time for inference using cTI (timings as reported in (jMesnard and Neumerkel lOOTl ') 

Regarding precision For the first block of programs we infer exactly the same termi- 
nation conditions as cTI. For the second block (of larger programs), we infer the same 
number of terminating predicates as does cTI, except for the last three programs where a 
"©" indicates that we infer termination for more predicates than does cTI and a "Q" vice- 
versa. These differences stem from the fact that the two analysers are based on slightly 
different components for approximating loops. For all programs, in the first two blocks, 
our termination checker verifies termination for the same set of modes as our termination 
inference infers. Note that for the second block of programs we count only the number of 
terminating predicates in order to be consistent with the experiments reported for cTI in 
liMesn ard and Neumerkel 200'Tl. The two programs in the third block demonstrate how 
the precision of the CHK and INF affect the precision of the analysis. Here indicates 
that inference with Extended SVG is more precise than inference with our simplified INF 
procedure, and g) indicates that our termination checking gives a more precise result than 
our termination inference - this is due to the fact that our choice of CHK and INF are not 
complete (as described in Section f4. 311 . 

Regarding timings The comparison of the columns Total Inf and cTI indicate that 
TerminWeb and cTI are comparable for termination inference. We note that the published 
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1 Program 


Joint 


Inf 


Check 


Total Inf 


1 cTI 1 




permute 


0.13 


0.01 


0.04 


0.14 


0.15 






duplicate 


0.03 


0.00 


0.02 


0.03 


0.05 






suml 


0.05 


0.01 


0.02 


0.06 


0.18 






merge 


0.19 


0.02 


0.04 


0.21 


0.26 






dis-con 


0.09 


0.01 


0.04 


0.10 


0.24 






reverse 


0.07 


0.01 


0.02 


0.08 


0.08 






append 


0.06 


0.00 


0.00 


0.06 


0.09 






list 


0.03 


0.00 


0.00 


0.03 


0.01 






fold 


0.05 


0.01 


0.02 


0.06 


0.10 






Ite 


0.07 


0.00 


0.02 


0.07 


0.13 






map 


0.05 


0.00 


0.02 


0.05 


0.09 






member 


0.05 


0.00 


0.00 


0.05 


0.03 






mergesort 


0.44 


0.02 


0.06 


0.46 


0.43 






mergesort* 


1 nn 
l.UU 


n no 
u.uz 


n 1 n 
U.IU 


1 no 
i.Uz 


0.57 






mergesort _ap 


U.Do 


U.U4 


n Qn 
U.oU 


n 


0.79 






mergesort _ap* 




U.Uo 


n Qn 
U.oU 


i.oo 


0.92 






naive_rev 


n 1 n 
U.IU 


U.UU 


n no 
U.UZ 


n 1 n 
U.IU 


0.12 






ordered 


U.Uo 


U.UU 


n nn 
U.UU 


n nQ 
U.Uo 


0.04 






overlap 


U.UD 


n nn 

U.UU 


n no 
u.uz 


n c\« 

U.UD 


0.05 






permutation 


U.iZ 


n m 
U.Ul 


n n/1 
U.U4 


n 1 Q 
U.lo 


0.15 






quicksort 


U.oy 


n n/1 
U.U4 


n 1 o 
U. iz 


n /I Q 
U.4o 


0.39 






select 


U.IU 


n nn 
U.UU 


n m 
U.Ul 


n 1 n 
U.IU 


0.08 






subset 


nil 


n nn 
U.UU 


n no 
u.uz 


nil 
U.ll 


0.09 






sum2 


0.08 


0.01 


0.02 


0.09 


0.12 






ann 




U.oo 


n (^n 

U.DU 


^ no 


5.01 






bid 


0.68 


0.06 


0.18 


0.74 


0.79 






boyer 


2.70 


0.05 


0.14 


2.75 


3.53 






browse 


1.01 


0.15 


0.37 


1.16 


1.81 






credit 


0.49 


0.05 


0.15 


0.54 


0.61 






peephole 


4.59 


0.09 


0.58 


4.68 


12.08 






plan 


1.08 


0.04 


0.20 


1.12 


0.71 






qplan 


11.04 


0.54 


3.43 


11.58 


7.30 






rdtoke 


2.93 


0.17 


0.40 


3.10 


2.92 






readG 


4.55 


0.07 


0.17 


4.62 


6.87 






warplanffi 


2.66 


0.17 


0.26 


2.83 


3.18 






loop© 


0.04 


0.00 


0.03 


0.04 








rev_interleave0® 


0.21 


0.02 


0.03 


0.23 







Table 1. Experimental Results 



results for cTI are obtained on a different machine, the two analyzers are implemented 
using different versions of Sicstus Prolog and they use different libraries for manipulating 
constraints. For arithmetic constraints, TerminWeb uses the clp(R) library while cTl uses 
the clp(Q) library. The prior is more efficient but may loose precision. For Boolean con- 
straints, TerminWeb uses the BDD library described in llSchachte 199911 . while cTl uses 
the Sicstus clp(B) library. The prior is considerably faster. More interesting is to notice 
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the comparison of columns Inf and Check which indicates that the cost of inferring all 
terminating modes at once (computing assertions and apply backards analysis) is typically 
faster than performing a termination check for a single mode. 

6 Related Work 

This paper draws on results from two areas: termination (checking) analysis and back- 
wards analysis. It shows how to combine components implementing these so as to obtain 
an analyser for termination inference. Termination checking for logic programs has been 
studied extensively (see for example the survey l |De Schreye and Decorte 1994| |). Back- 
wards reasoning for imperative programs dates back to the early days of static analysis 
and has been applied extensively in functional programming. Applications of backwards 
analysis in the context of logic programming are few. For details concerning other applica- 
tions of backwards analysis, see jKing and Lu 2002). The only other work on termination 
inference that we are aware of is that of Mcsnard and coauthors. The implementation 
of Mesnard's cTI analyser is described in ( Mcsnard and Neumerkel 200111 and its formal 
justification is given in ( |Mesnard and Ruggieri 20011 . 

The two techniques (cTI and ours) appear to be equivalent. The real difference is in the 
approach. Our analyser combines termination checking and backwards analysis to perform 
termination inference. This is a "black-box" approach which simplifies design, implemen- 
tation and formal justification. The implementation reuses the TerminWeb code and an 
implementation of the backwards analysis algorithm described and formally justified in 
( [King and Lu 2002| |. 

Both systems compute the greatest fixed point of a system of recursive equations. In 
our case the implementation is based on a simple meta-interpreter written in Prolog. In 
cTI, the implementation is based on a ^-calculus interpreter. In our case this system of 
equations is set up as an instance of backwards analysis hence providing a clear motivation 
and justification ( |Mesnard and Ruggieri 20011 . 

7 Conclusion 

We have demonstrated that backwards analysis provides a useful link relating termination 
checking and termination inference. This leads to a better understanding of termination 
inference and simplifies the formal justification and the implementation of termination 
inference. We demonstrate this by enhancing the analyser for termination checking de- 
scribed in llCodish and Taboch 19991 to perform also termination inference. We also iden- 
tify a simple condition which guarantees that termination inference can infer all provably 
terminating modes when the corresponding analysers make use of the same underlying 
analyses for size relations and instantiation dependencies. 

Acknowledgement We thank Andy King, Fred Mesnard and Cohavit Taboch for the 
useful discussions, as well as the exchange of code and benchmarks. 
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